You don’t need NAT for a Firewall. NAT doesn’t provide any security benefits what so ever.
If you put something on the internet it should always have a Firewall. Use either ufw or firewalld. I don’t see your argument since anything the bots can each will get probed.
Host a middle node
Keep in mind that none of the hardware you listed is great for hosting. It could work but I would go for somethinga little more modern. Something like a i5-7500 would be great. Get a router with vlans since you probably will want to segment the network.
For networking make sure you have a solid low latency reasonable bandwidth connection. I would do gigabit fiber since that will provide a decent amount of bandwidth while having low latency.
Also you could look into running a i2p node on the same machine since they both need volunteers.
Why wouldn’t you setup a firewall on the VPS?
I would recommend that you bring in someone with experience instead of trying to wing it. It sounds like you are trying to bypass your IT department which is never a good idea. Talk to the people who control the Chromebooks.
What you are looking for is virtual desktop. It will cost money but it is worth it in the end. I would highly recommend that you take a look at Azure virtual desktop or related services. It is all cloud based and it is likely what you are after.
If
That isn’t how you would normally do it
You don’t want to try and span locations on a Container/hypervisor level. The problem is that there is likely to much latency between the sites which will screw with things. Instead, set up replicated data types where it is necessary.
What are you trying to accomplish from this?